aboutsummaryrefslogtreecommitdiffstats
path: root/tests/cert-install
Commit message (Collapse)AuthorAgeFiles
* Fix post-issuance validation logic.Guilhem Moulin2024-06-131
| | | | | | | | | | | | | | | | | | | | | Rather than adding intermediates in the certificate bundle we now validate the leaf certificate with intermediates as untrusted (used for chain building only). Only the root certificates are used as trust anchor. Not pining intermediate certificates anymore is in line with Let's Encrypt's latest recommendations: Rotating the set of intermediates we issue from helps keep the Internet agile and more secure. It encourages automation and efficiency, and discourages outdated practices like key pinning. “Key Pinning” is a practice in which clients — either ACME clients getting certificates for their site, or apps connecting to their own backend servers — decide to trust only a single issuing intermediate certificate rather than delegating trust to the system trust store. Updating pinned keys is a manual process, which leads to an increased risk of errors and potential business continuity failures. — https://letsencrypt.org/2024/03/19/new-intermediate-certificates:
* Pass `-in /dev/stdin` option to openssl(1) to avoid warning with recent ↵Guilhem Moulin2024-06-131
| | | | | | | | | | versions. OpenSSL 3.2 from Debian sid spews Warning: Reading certificate from stdin since no -in or -new option is given without an explicit `-in /dev/stdin`.
* t/cert-install: Ensure the subjectName is lowercase.Guilhem Moulin2024-06-131
| | | | | | | | | Domain names are case insensitive so it shouldn't matter, but Let's Encrypt (staging) ACME server fails with 400 Bad Request (Invalid identifiers requested :: Cannot issue for "YXJCTT7S6K2RQLVO.lacme-test.guilhem.org": Domain name contains an invalid character) if the sub-domain part of the subjectName is left all-caps.
* lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'.Guilhem Moulin2021-02-241
|
* lacme: Default mode for certificate(-chain) creation is 0644 minus umask ↵Guilhem Moulin2021-02-241
| | | | | | | | restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files.
* lacme: Don't write certificate(-chain) file on chown/chmod failure.Guilhem Moulin2021-02-241
| | | | | | | | | Otherwise we end up with files with mode 0644 owned by root:root, and subsequent lacme(8) invocations will likely not renew them for a while. This change also saves a chown(2) call. And the new logic (chown resp. chmod from root:root resp. 0600) is safe if we ever include private key material in there too.
* tests/cert-install: Include tests for failing chown(2).Guilhem Moulin2021-02-241
| | | | Due to unknown user/group name.
* tab damageGuilhem Moulin2021-02-241
|
* typofixGuilhem Moulin2021-02-241
|
* Add test suite against Let's Encrypt's staging environment.Guilhem Moulin2021-02-201
https://letsencrypt.org/docs/staging-environment/